hxxp://# 🔴 Cloudflare Warp+ 💖 Traffic[:] 2400 TB 💖 For 5 Devices 💖 Site[:] hxxps://1[.]1[.]1[.]1 # 🟢Keys[:] oFS7x198-l9845BXZ-P4Up03c1 6ajc281W-chn962A3-12n0F5Gi D04G5O3M-IF37Mn09-816wE4oq PO0B134K-2bzL073G-q9l73Ih2 e6PJ83Q0-6h4trK52-OXxv6780 S2e1P5t0-D80bJ5L2-n79d43Mf Swf9168h-0H85cfe6-y6n27b5K X7n93hm2-H3iG954e-v6459CXy Hg16RZ20-2Y594ghZ-Hk6aq392 8R09kQ7K-4yI5B67v-c398G0Ae 4an6g1F0-U87j4CB9-8U07zXk1 bF0916ve-Z02sK5P8-Q50u9R6W Cb972im1-9er7FR21-Jo574QD3 h251G0te-t26z8fs4-Y8Hs76W4 h1J376kv-Po1472Fd-R3741bSw l07uzZ46-18U0Z5eX-Ir2S18e7 S859srg0-B81T95DP-9huAi185 r39W78oQ-t8O5u4Y1-546nz7IE 3725zhGf-K645A1WF-6da98KV4 7nz50Ga3-P4O93Ym2-yxH847S5 4O8SuI73-E20OlN43-378J2haV 2d7e94PO-1ed48l5I-2u50Zs3v 27QY9qt5-0O3K9ye7-3Ax78on2 C2m7IJ90-M45s1G8q-g846WQq5 31H7e6nb-io60En71-4AQ1jU95 AO016Fx4-718jFR4w-82xCPF09 0O3g2ql4-0MR74w1e-50dXn37v Mar2496p-M8z69Fw5-8ehb723V t2g3h40W-Ohy52u16-5M76SD8N 4f6bT90e-42UEFg57-3f1v6J4s 81NctR24-e4c0Lp39-c2Qa584r W3768HhL-6VRv854Y-1940qDfw xK08RV35-83B4Gr7H-sZ98v54Q W97B4U3T-l94B65xq-Bx0p92u7 B1N4m79w-9Zy425oT-6xOG893Q 6Vx97Xk0-3U459pnL-aT326Nb8 Kc42U3a1-4vb36F8j-j21N5M7b 0mt469Kn-8IE527qr-s638ti9u 5S907bJh-B9k4V8K2-3o8nE6l0 FA5286bQ-wr752DI9-R96YD32q C7QfL319-67Ohb0w5-80id39sI 08nPd26p-1T0s98bG-J2bu315s r1b7HD92-x75Tg42E-B8MH95s4 es92qG31-6l187iaH-f93ceg20 y941xQY7-230Bp4qX-s1IRt495 ks50j19O-e38lB49M-rq9A170z 7UO0e96A-821o4dQq-69DC3U8w 0K59R3Ng-3zl184rN-64L9JEX5 V9hU4M36-521V8Fxz-6P01fG9U 2H4o0vG3-6k74P9pN-96V2q0vY 073T6feQ-Ns2i8n39-Z8X2I0C9 0r146tyZ-864IkBh9-t4lYz586 1d9DW82N-1cV7n36C-XE08dB27 HRK10E32-Rt4L6X81-48A76euG 9JAu4i31-ch2wH561-1Y9y7Ke6 f46aJ29t-0zvJg784-WP862C1e 8czC976t-3paLn504-2qX81r3E 9D8v40Gl-v2Q8z6g1-46I8Y9Vy 6k1D94uN-z1igt423-581rq0Gu 6on7z45e-4z2GW1L6-P7q2w0X5 O7L095KB-4L81yP7O-2iZR93m6 6BG51c7u-61S5wi9x-ys26r5I7 tYk9a803-936UyXC7-CB290UN7 0tl1w37T-I1Hd9W78-02gx4K8Z vy493h5O-GE539f7a-pb3U209u 913e4DzT-3ow60a4T-o253vkL6 4Bun617h-5u2cTP93-y4oE3M57 4851LTOM-53F7p9CE-JS83j2H4

Analysis

max time kernel
1080s
max time network
1169s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 14:05

Sharing

Behavioral task

behavioral1

Sample

http://# 🔴 Cloudflare Warp+ 💖 Traffic: 2400 TB 💖 For 5 Devices 💖 Site: https://1.1.1.1 # 🟢Keys: oFS7x198-l9845BXZ-P4Up03c1 6ajc281W-chn962A3-12n0F5Gi D04G5O3M-IF37Mn09-816wE4oq PO0B134K-2bzL073G-q9l73Ih2 e6PJ83Q0-6h4trK52-OXxv6780 S2e1P5t0-D80bJ5L2-n79d43Mf Swf9168h-0H85cfe6-y6n27b5K X7n93hm2-H3iG954e-v6459CXy Hg16RZ20-2Y594ghZ-Hk6aq392 8R09kQ7K-4yI5B67v-c398G0Ae 4an6g1F0-U87j4CB9-8U07zXk1 bF0916ve-Z02sK5P8-Q50u9R6W Cb972im1-9er7FR21-Jo574QD3 h251G0te-t26z8fs4-Y8Hs76W4 h1J376kv-Po1472Fd-R3741bSw l07uzZ46-18U0Z5eX-Ir2S18e7 S859srg0-B81T95DP-9huAi185 r39W78oQ-t8O5u4Y1-546nz7IE 3725zhGf-K645A1WF-6da98KV4 7nz50Ga3-P4O93Ym2-yxH847S5 4O8SuI73-E20OlN43-378J2haV 2d7e94PO-1ed48l5I-2u50Zs3v 27QY9qt5-0O3K9ye7-3Ax78on2 C2m7IJ90-M45s1G8q-g846WQq5 31H7e6nb-io60En71-4AQ1jU95 AO016Fx4-718jFR4w-82xCPF09 0O3g2ql4-0MR74w1e-50dXn37v Mar2496p-M8z69Fw5-8ehb723V t2g3h40W-Ohy52u16-5M76SD8N 4f6bT90e-42UEFg57-3f1v6J4s 81NctR24-e4c0Lp39-c2Qa584r W3768HhL-6VRv854Y-1940qDfw xK08RV35-83B4Gr7H-sZ98v54Q W97B4U3T-l94B65xq-Bx0p92u7 B1N4m79w-9Zy425oT-6xOG893Q 6Vx97Xk0-3U459pnL-aT326Nb8 Kc42U3a1-4vb36F8j-j21N5M7b 0mt469Kn-8IE527qr-s638ti9u 5S907bJh-B9k4V8K2-3o8nE6l0 FA5286bQ-wr752DI9-R96YD32q C7QfL319-67Ohb0w5-80id39sI 08nPd26p-1T0s98bG-J2bu315s r1b7HD92-x75Tg42E-B8MH95s4 es92qG31-6l187iaH-f93ceg20 y941xQY7-230Bp4qX-s1IRt495 ks50j19O-e38lB49M-rq9A170z 7UO0e96A-821o4dQq-69DC3U8w 0K59R3Ng-3zl184rN-64L9JEX5 V9hU4M36-521V8Fxz-6P01fG9U 2H4o0vG3-6k74P9pN-96V2q0vY 073T6feQ-Ns2i8n39-Z8X2I0C9 0r146tyZ-864IkBh9-t4lYz586 1d9DW82N-1cV7n36C-XE08dB27 HRK10E32-Rt4L6X81-48A76euG 9JAu4i31-ch2wH561-1Y9y7Ke6 f46aJ29t-0zvJg784-WP862C1e 8czC976t-3paLn504-2qX81r3E 9D8v40Gl-v2Q8z6g1-46I8Y9Vy 6k1D94uN-z1igt423-581rq0Gu 6on7z45e-4z2GW1L6-P7q2w0X5 O7L095KB-4L81yP7O-2iZR93m6 6BG51c7u-61S5wi9x-ys26r5I7 tYk9a803-936UyXC7-CB290UN7 0tl1w37T-I1Hd9W78-02gx4K8Z vy493h5O-GE539f7a-pb3U209u 913e4DzT-3ow60a4T-o253vkL6 4Bun617h-5u2cTP93-y4oE3M57 4851LTOM-53F7p9CE-JS83j2H4

Resource

win10v2004-20240508-en

execution persistence

windows10-2004-x64

20 signatures

300 seconds

Report Analysis Logs

General

Target

http://# 🔴 Cloudflare Warp+ 💖 Traffic: 2400 TB 💖 For 5 Devices 💖 Site: https://1.1.1.1 # 🟢Keys: oFS7x198-l9845BXZ-P4Up03c1 6ajc281W-chn962A3-12n0F5Gi D04G5O3M-IF37Mn09-816wE4oq PO0B134K-2bzL073G-q9l73Ih2 e6PJ83Q0-6h4trK52-OXxv6780 S2e1P5t0-D80bJ5L2-n79d43Mf Swf9168h-0H85cfe6-y6n27b5K X7n93hm2-H3iG954e-v6459CXy Hg16RZ20-2Y594ghZ-Hk6aq392 8R09kQ7K-4yI5B67v-c398G0Ae 4an6g1F0-U87j4CB9-8U07zXk1 bF0916ve-Z02sK5P8-Q50u9R6W Cb972im1-9er7FR21-Jo574QD3 h251G0te-t26z8fs4-Y8Hs76W4 h1J376kv-Po1472Fd-R3741bSw l07uzZ46-18U0Z5eX-Ir2S18e7 S859srg0-B81T95DP-9huAi185 r39W78oQ-t8O5u4Y1-546nz7IE 3725zhGf-K645A1WF-6da98KV4 7nz50Ga3-P4O93Ym2-yxH847S5 4O8SuI73-E20OlN43-378J2haV 2d7e94PO-1ed48l5I-2u50Zs3v 27QY9qt5-0O3K9ye7-3Ax78on2 C2m7IJ90-M45s1G8q-g846WQq5 31H7e6nb-io60En71-4AQ1jU95 AO016Fx4-718jFR4w-82xCPF09 0O3g2ql4-0MR74w1e-50dXn37v Mar2496p-M8z69Fw5-8ehb723V t2g3h40W-Ohy52u16-5M76SD8N 4f6bT90e-42UEFg57-3f1v6J4s 81NctR24-e4c0Lp39-c2Qa584r W3768HhL-6VRv854Y-1940qDfw xK08RV35-83B4Gr7H-sZ98v54Q W97B4U3T-l94B65xq-Bx0p92u7 B1N4m79w-9Zy425oT-6xOG893Q 6Vx97Xk0-3U459pnL-aT326Nb8 Kc42U3a1-4vb36F8j-j21N5M7b 0mt469Kn-8IE527qr-s638ti9u 5S907bJh-B9k4V8K2-3o8nE6l0 FA5286bQ-wr752DI9-R96YD32q C7QfL319-67Ohb0w5-80id39sI 08nPd26p-1T0s98bG-J2bu315s r1b7HD92-x75Tg42E-B8MH95s4 es92qG31-6l187iaH-f93ceg20 y941xQY7-230Bp4qX-s1IRt495 ks50j19O-e38lB49M-rq9A170z 7UO0e96A-821o4dQq-69DC3U8w 0K59R3Ng-3zl184rN-64L9JEX5 V9hU4M36-521V8Fxz-6P01fG9U 2H4o0vG3-6k74P9pN-96V2q0vY 073T6feQ-Ns2i8n39-Z8X2I0C9 0r146tyZ-864IkBh9-t4lYz586 1d9DW82N-1cV7n36C-XE08dB27 HRK10E32-Rt4L6X81-48A76euG 9JAu4i31-ch2wH561-1Y9y7Ke6 f46aJ29t-0zvJg784-WP862C1e 8czC976t-3paLn504-2qX81r3E 9D8v40Gl-v2Q8z6g1-46I8Y9Vy 6k1D94uN-z1igt423-581rq0Gu 6on7z45e-4z2GW1L6-P7q2w0X5 O7L095KB-4L81yP7O-2iZR93m6 6BG51c7u-61S5wi9x-ys26r5I7 tYk9a803-936UyXC7-CB290UN7 0tl1w37T-I1Hd9W78-02gx4K8Z vy493h5O-GE539f7a-pb3U209u 913e4DzT-3ow60a4T-o253vkL6 4Bun617h-5u2cTP93-y4oE3M57 4851LTOM-53F7p9CE-JS83j2H4

Score

8^/10

execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
3608	Cloudflare WARP.exe
5280	Cloudflare WARP.exe
380	Cloudflare WARP.exe
4900	Cloudflare WARP.exe
2688	Cloudflare WARP.exe

Loads dropped DLL 54 IoCs

pid	Process
6136	MsiExec.exe
3856	rundll32.exe
3856	rundll32.exe
3856	rundll32.exe
3856	rundll32.exe
3856	rundll32.exe
4700	MsiExec.exe
4700	MsiExec.exe
2392	MsiExec.exe
2532	rundll32.exe
2532	rundll32.exe
2532	rundll32.exe
2532	rundll32.exe
2532	rundll32.exe
3272	MsiExec.exe
4700	MsiExec.exe
3608	Cloudflare WARP.exe
3608	Cloudflare WARP.exe
2280	MsiExec.exe
6124	rundll32.exe
6124	rundll32.exe
6124	rundll32.exe
2280	MsiExec.exe
5352	rundll32.exe
5352	rundll32.exe
5352	rundll32.exe
5352	rundll32.exe
5352	rundll32.exe
5160	MsiExec.exe
5160	MsiExec.exe
5160	MsiExec.exe
2112	MsiExec.exe
3372	MsiExec.exe
5304	rundll32.exe
5304	rundll32.exe
5304	rundll32.exe
5304	rundll32.exe
5304	rundll32.exe
3372	MsiExec.exe
4664	rundll32.exe
4664	rundll32.exe
4664	rundll32.exe
4664	rundll32.exe
4664	rundll32.exe
2112	MsiExec.exe
5160	MsiExec.exe
5280	Cloudflare WARP.exe
5280	Cloudflare WARP.exe
380	Cloudflare WARP.exe
380	Cloudflare WARP.exe
4900	Cloudflare WARP.exe
4900	Cloudflare WARP.exe
2688	Cloudflare WARP.exe
2688	Cloudflare WARP.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\warp-cli.exe	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\warp-cli.exe	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\wintun.dll	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\warp-diag.exe	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\warp-cli.exe	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\warp-diag.exe	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\wintun.dll	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\wintun.dll	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\warp-diag.exe	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe	msiexec.exe
File opened for modification	C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll	msiexec.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI3F88.tmp-\Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3E10.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3F88.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F88.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4337.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4337.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4AE9.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA0EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AE9.tmp-\Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4337.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4AE9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA0EE.tmp-\Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAD95.tmp-\Warp.Installer.Actions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAD95.tmp-\Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3E10.tmp-\Warp.Installer.Actions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3F88.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4337.tmp-\Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4AE9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA46B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB016.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4083.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD95.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3E10.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F60.tmp	msiexec.exe
File created	C:\Windows\Installer\e589a86.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0EE.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA0EE.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\{CE09034A-E1A4-41FC-A56B-B4E7E3C34B85}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0EE.tmp-\Warp.Installer.Actions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3E10.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4337.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIB3E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD95.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3E10.tmp-\Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3F88.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4269.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4299.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AE9.tmp-\Warp.Installer.Actions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA4F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4249.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA43B.tmp	msiexec.exe
File created	C:\Windows\Installer\{CE09034A-E1A4-41FC-A56B-B4E7E3C34B85}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e589a88.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F88.tmp-\Warp.Installer.Actions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI42D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AE9.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\SourceHash{CE09034A-E1A4-41FC-A56B-B4E7E3C34B85}	msiexec.exe
File opened for modification	C:\Windows\Installer\e589a86.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0EE.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAD95.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD95.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3E10.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4337.tmp-\Warp.Installer.Actions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5460	sc.exe
4880	sc.exe
5628	sc.exe
1528	sc.exe
1460	sc.exe
2628	sc.exe
4964	sc.exe
3768	sc.exe
5468	sc.exe
1376	sc.exe
5816	sc.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\ProductName = "Cloudflare WARP"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\Version = "402850201"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\SourceList\PackageName = "Cloudflare_WARP_Release-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B\A43090EC4A1ECF145AB64B7E3E3CB458	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{045D38D1-6E27-4157-8D83-12773F80D3DA}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A43090EC4A1ECF145AB64B7E3E3CB458\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\ProductIcon = "C:\\Windows\\Installer\\{CE09034A-E1A4-41FC-A56B-B4E7E3C34B85}\\icon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A43090EC4A1ECF145AB64B7E3E3CB458	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\PackageCode = "C2989A85B33B9C64E884B658BC325DBF"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\ = "URL:com.cloudflare.warp Protocol"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\DefaultIcon\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\", 1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\SourceList\Media\2 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\URL Protocol	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A43090EC4A1ECF145AB64B7E3E3CB458\Clients = 3a0000000000	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 34547.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4840	msedge.exe
4840	msedge.exe
3420	msedge.exe
3420	msedge.exe
4176	identity_helper.exe
4176	identity_helper.exe
5364	msedge.exe
5364	msedge.exe
4880	msedge.exe
4880	msedge.exe
3608	Cloudflare WARP.exe
3608	Cloudflare WARP.exe
3608	Cloudflare WARP.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
5160	MsiExec.exe
5160	MsiExec.exe
2112	MsiExec.exe
2112	MsiExec.exe
2112	MsiExec.exe
2112	MsiExec.exe
5304	rundll32.exe
5304	rundll32.exe
5280	Cloudflare WARP.exe
5280	Cloudflare WARP.exe
5280	Cloudflare WARP.exe
380	Cloudflare WARP.exe
380	Cloudflare WARP.exe
380	Cloudflare WARP.exe
4900	Cloudflare WARP.exe
4900	Cloudflare WARP.exe
4900	Cloudflare WARP.exe
2688	Cloudflare WARP.exe
2688	Cloudflare WARP.exe
2688	Cloudflare WARP.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3868	msiexec.exe
Token: SeSecurityPrivilege	4372	msiexec.exe
Token: SeCreateTokenPrivilege	3868	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3868	msiexec.exe
Token: SeLockMemoryPrivilege	3868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3868	msiexec.exe
Token: SeMachineAccountPrivilege	3868	msiexec.exe
Token: SeTcbPrivilege	3868	msiexec.exe
Token: SeSecurityPrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeLoadDriverPrivilege	3868	msiexec.exe
Token: SeSystemProfilePrivilege	3868	msiexec.exe
Token: SeSystemtimePrivilege	3868	msiexec.exe
Token: SeProfSingleProcessPrivilege	3868	msiexec.exe
Token: SeIncBasePriorityPrivilege	3868	msiexec.exe
Token: SeCreatePagefilePrivilege	3868	msiexec.exe
Token: SeCreatePermanentPrivilege	3868	msiexec.exe
Token: SeBackupPrivilege	3868	msiexec.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeShutdownPrivilege	3868	msiexec.exe
Token: SeDebugPrivilege	3868	msiexec.exe
Token: SeAuditPrivilege	3868	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3868	msiexec.exe
Token: SeChangeNotifyPrivilege	3868	msiexec.exe
Token: SeRemoteShutdownPrivilege	3868	msiexec.exe
Token: SeUndockPrivilege	3868	msiexec.exe
Token: SeSyncAgentPrivilege	3868	msiexec.exe
Token: SeEnableDelegationPrivilege	3868	msiexec.exe
Token: SeManageVolumePrivilege	3868	msiexec.exe
Token: SeImpersonatePrivilege	3868	msiexec.exe
Token: SeCreateGlobalPrivilege	3868	msiexec.exe
Token: SeBackupPrivilege	2816	vssvc.exe
Token: SeRestorePrivilege	2816	vssvc.exe
Token: SeAuditPrivilege	2816	vssvc.exe
Token: SeBackupPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeBackupPrivilege	5692	srtasks.exe
Token: SeRestorePrivilege	5692	srtasks.exe
Token: SeSecurityPrivilege	5692	srtasks.exe
Token: SeTakeOwnershipPrivilege	5692	srtasks.exe
Token: SeBackupPrivilege	5692	srtasks.exe
Token: SeRestorePrivilege	5692	srtasks.exe
Token: SeSecurityPrivilege	5692	srtasks.exe
Token: SeTakeOwnershipPrivilege	5692	srtasks.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3868	msiexec.exe
3868	msiexec.exe
6116	msiexec.exe
6116	msiexec.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 936	3420	msedge.exe	83
PID 3420 wrote to memory of 936	3420	msedge.exe	83
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 5108	3420	msedge.exe	84
PID 3420 wrote to memory of 4840	3420	msedge.exe	85
PID 3420 wrote to memory of 4840	3420	msedge.exe	85
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86
PID 3420 wrote to memory of 1996	3420	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://# 🔴 Cloudflare Warp+ 💖 Traffic: 2400 TB 💖 For 5 Devices 💖 Site: https://1.1.1.1 # 🟢Keys: oFS7x198-l9845BXZ-P4Up03c1 6ajc281W-chn962A3-12n0F5Gi D04G5O3M-IF37Mn09-816wE4oq PO0B134K-2bzL073G-q9l73Ih2 e6PJ83Q0-6h4trK52-OXxv6780 S2e1P5t0-D80bJ5L2-n79d43Mf Swf9168h-0H85cfe6-y6n27b5K X7n93hm2-H3iG954e-v6459CXy Hg16RZ20-2Y594ghZ-Hk6aq392 8R09kQ7K-4yI5B67v-c398G0Ae 4an6g1F0-U87j4CB9-8U07zXk1 bF0916ve-Z02sK5P8-Q50u9R6W Cb972im1-9er7FR21-Jo574QD3 h251G0te-t26z8fs4-Y8Hs76W4 h1J376kv-Po1472Fd-R3741bSw l07uzZ46-18U0Z5eX-Ir2S18e7 S859srg0-B81T95DP-9huAi185 r39W78oQ-t8O5u4Y1-546nz7IE 3725zhGf-K645A1WF-6da98KV4 7nz50Ga3-P4O93Ym2-yxH847S5 4O8SuI73-E20OlN43-378J2haV 2d7e94PO-1ed48l5I-2u50Zs3v 27QY9qt5-0O3K9ye7-3Ax78on2 C2m7IJ90-M45s1G8q-g846WQq5 31H7e6nb-io60En71-4AQ1jU95 AO016Fx4-718jFR4w-82xCPF09 0O3g2ql4-0MR74w1e-50dXn37v Mar2496p-M8z69Fw5-8ehb723V t2g3h40W-Ohy52u16-5M76SD8N 4f6bT90e-42UEFg57-3f1v6J4s 81NctR24-e4c0Lp39-c2Qa584r W3768HhL-6VRv854Y-1940qDfw xK08RV35-83B4Gr7H-sZ98v54Q W97B4U3T-l94B65xq-Bx0p92u7 B1N4m79w-9Zy425oT-6xOG893Q 6Vx97Xk0-3U459pnL-aT326Nb8 Kc42U3a1-4vb36F8j-j21N5M7b 0mt469Kn-8IE527qr-s638ti9u 5S907bJh-B9k4V8K2-3o8nE6l0 FA5286bQ-wr752DI9-R96YD32q C7QfL319-67Ohb0w5-80id39sI 08nPd26p-1T0s98bG-J2bu315s r1b7HD92-x75Tg42E-B8MH95s4 es92qG31-6l187iaH-f93ceg20 y941xQY7-230Bp4qX-s1IRt495 ks50j19O-e38lB49M-rq9A170z 7UO0e96A-821o4dQq-69DC3U8w 0K59R3Ng-3zl184rN-64L9JEX5 V9hU4M36-521V8Fxz-6P01fG9U 2H4o0vG3-6k74P9pN-96V2q0vY 073T6feQ-Ns2i8n39-Z8X2I0C9 0r146tyZ-864IkBh9-t4lYz586 1d9DW82N-1cV7n36C-XE08dB27 HRK10E32-Rt4L6X81-48A76euG 9JAu4i31-ch2wH561-1Y9y7Ke6 f46aJ29t-0zvJg784-WP862C1e 8czC976t-3paLn504-2qX81r3E 9D8v40Gl-v2Q8z6g1-46I8Y9Vy 6k1D94uN-z1igt423-581rq0Gu 6on7z45e-4z2GW1L6-P7q2w0X5 O7L095KB-4L81yP7O-2iZR93m6 6BG51c7u-61S5wi9x-ys26r5I7 tYk9a803-936UyXC7-CB290UN7 0tl1w37T-I1Hd9W78-02gx4K8Z vy493h5O-GE539f7a-pb3U209u 913e4DzT-3ow60a4T-o253vkL6 4Bun617h-5u2cTP93-y4oE3M57 4851LTOM-53F7p9CE-JS83j2H4
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa047246f8,0x7ffa04724708,0x7ffa04724718
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3592 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1812 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Cloudflare_WARP_Release-x64.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4940 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17957150021870497448,2059378983277024271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4372
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5692
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 186E8CEACFFABFBAB7D8CF604BD88145
  2⤵
  - Loads dropped DLL
  PID:6136
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA0EE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240689421 2 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.ReadCmdLineParams
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3856
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB6A16A09FB9A41CFA82EB97B43F1EB8
  2⤵
  - Loads dropped DLL
  PID:4700
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding A4D3DAC9F700B3AFE9C6C5B8E8C01AF8 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2392
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIAD95.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240692687 32 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.InstallService
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2532
  - - C:\Windows\system32\sc.exe
      "sc.exe" create CloudflareWARP binPath= "\"C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe"\" displayname= "Cloudflare WARP" start= "auto"
      4⤵
      Launches sc.exe
      PID:5628
  - - C:\Windows\system32\sc.exe
      "sc.exe" config CloudflareWARP depend= "wlansvc"
      4⤵
      Launches sc.exe
      PID:1528
  - - C:\Windows\system32\sc.exe
      "sc.exe" failure CloudflareWARP reset= 86400 actions= restart/0/restart/1000/restart/5000
      4⤵
      Launches sc.exe
      PID:3768
  - - C:\Windows\system32\sc.exe
      "sc.exe" failureflag CloudflareWARP 1
      4⤵
      Launches sc.exe
      PID:1460
  - - C:\Windows\system32\sc.exe
      "sc.exe" config CloudflareWARP start=AUTO
      4⤵
      Launches sc.exe
      PID:5468
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EB77661EF7485FF42EBFE1393465A70C E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3272
- C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe
  "C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3608
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 189F47A14203B034FA75F5CAF4506A67
  2⤵
  - Loads dropped DLL
  PID:2280
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI3E10.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240729671 58 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.CheckRepairElevated
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:6124
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI3F88.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240729984 63 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.ReadCmdLineParams
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5352
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 363DA1B844C3AB10196176CE9D48A2DB
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5160
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0841006B82CA595E19F0C2E73204841D E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2112
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4A84CF0B87E0F8BD66689448FE7F3692 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3372
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI4337.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240730953 106 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.PrepareForUpgrade
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5304
  - - C:\Windows\system32\sc.exe
      "sc.exe" failure CloudflareWARP reset= 0 actions= /////
      4⤵
      Launches sc.exe
      PID:2628
  - - C:\Windows\system32\sc.exe
      "sc.exe" failureflag CloudflareWARP 0
      4⤵
      Launches sc.exe
      PID:1376
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI4AE9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240732906 118 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.InstallService
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4664
  - - C:\Windows\system32\sc.exe
      "sc.exe" failure CloudflareWARP reset= 86400 actions= restart/0/restart/1000/restart/5000
      4⤵
      Launches sc.exe
      PID:5816
  - - C:\Windows\system32\sc.exe
      "sc.exe" failureflag CloudflareWARP 1
      4⤵
      Launches sc.exe
      PID:5460
  - - C:\Windows\system32\sc.exe
      "sc.exe" config CloudflareWARP binPath= "\"C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe"\"
      4⤵
      Launches sc.exe
      PID:4880
  - - C:\Windows\system32\sc.exe
      "sc.exe" config CloudflareWARP start=AUTO
      4⤵
      Launches sc.exe
      PID:4964
- C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe
  "C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:5580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2844

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Cloudflare_WARP_Release-x64.msi"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:6116

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe
"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:380

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe
"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe
"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e589a87.rbs

Filesize
161KB

MD5
36d8722d7be4998a791e255f7e618754

SHA1
e2ee3d964253c3b97c207e9d4f5bfecd4694ab97

SHA256
0f762d5d546f58488b412b8276a6faaf527c61ce5f9ea7890780da55cc2d7e2a

SHA512
d11ffe91ef33ec5542abbaf37ed6a0a10946e03f243e0eb1c41e1bb0a131881f1822eeb9b2463eb35932ee94bc5ac53de87464cce4fe89b599ba764b77577dbf

Download Submit
C:\Config.Msi\e589a89.rbs

Filesize
161KB

MD5
0e44fef1c447d8ae4e89a960bb36a018

SHA1
80b9436a57519e64b8bcf6464c472f20fe6a5b25

SHA256
641e3b26adab7f80df61024d11d662b4503e2b7c1ae13fd80ce2b9e13614e1ce

SHA512
3c5775840537fdafa769b464d687b2e3e49cde33d929a35af983e92c4b95d250af8eff6bd06ce8e14a605334ad2d581a47f6c5aa9b7e0fb63089a4b8a4a6f1d2

Download Submit
C:\Config.Msi\e589a91.rbf

Filesize
285KB

MD5
b48ebfb9013ac1fa690be72f6ec85837

SHA1
5bfeeddd4c9770a6ad65023c1b138f4a6cfcf0db

SHA256
11753fed5abb0dc21ce213382b7fd665005285e240ef8309939f6c76581f3ce2

SHA512
9ec03b6a6a3a5f10fbde9f55d9133d4c321b9dff080a54e3c6e47e2f4230e64d41afc66531ecdd0367e7eb858a349587c9e1c168826ba735ca58e5ba71290b71

Download Submit
C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.DLL

Filesize
3.6MB

MD5
39c48fd46109b539680345fb845940a7

SHA1
d54e4a7e6fc763b1317f57eeec3951ff8a8cc072

SHA256
a4fca5996d0795b79a6c9d13f719fd0f4dcc19096331c8fcb742f48629656d1c

SHA512
045462ad1aef8e7655accf16feae7ec20a7b3a7b4767413dc8bac18b6e0688eea397a7740876ed6351f0494a874d82e35e7a2e4ea507f2c8c98527da610446cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
872a1f94ee3eec12def97c9e437c4d9f

SHA1
f61fd955c0a533fc5404b19476804ef8e2523206

SHA256
757b2057febaa6ed1a8585525d48e6238711b1fd334091c1385d5d265c44fe20

SHA512
7be41e53df2b9fc06467564dc5d1f63a7bfb4545841223e15186c00bf574d82c81d465ba0a856aa210d8589f6a3039bb1d1735f59bfb61af41719958aa187d33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8

Filesize
727B

MD5
6859d7194cd2b111019f53de7eeb9dbc

SHA1
c015bdcbb58f79ad6fa77055a6327288b57968ef

SHA256
18213db1f29a70cd7d9bef6ad2ff35d31de460a209501057e6acf7b82e499676

SHA512
e09680ec2429cea7c710a42c4df67920a7108a6fbb9d9f322ecf255cb9c7ae26ddd327b8eb48c5a22b5745d4981d49de1a8a8ab4ebfc1e8ce7a9112d32886d8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
d90b241db1039fd2122e2386d692427e

SHA1
eb2e224d6205d90df1101b024c8234369ef24654

SHA256
7c81c821d465fe2e0584934503d4006e8fb18f3f4ae6a6cc46ef418641de85aa

SHA512
dafe924d6e81d03e90a89922ae2e68957f4425483f096192004d52cf0dde217ce56d49c76ceb14bda8bf64b2d5c2039318be6818d00a9a638374ca1434ea2522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
f600f902c3fb297565e24cd909b3d9d3

SHA1
a848a052516d83dcb87cb6cc1a32ebb58af37396

SHA256
6c40e05213843dd46c6360e2d05579fcc5115af75e01e7fcebdb5035d1dcf1c9

SHA512
c7204a4ef8dc382951d6cce7981455c088fbf3203318218a587988a4b62846170a2aa8863484fd587fed8c9993dbf73c1ce6c54effb3a6c7b09e4ad11adaa835

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8

Filesize
412B

MD5
59f88f77ccb02f6b11884d8ae5703900

SHA1
9c05837248bbda8dea88dbc8bf7addb622f6d26f

SHA256
b104f26e8737d075a00569bb122d633f555f0651256e7ae9e86f1e70d5cc019d

SHA512
031e76e44fdb065b1ca4e54e1a1f90a4dcfc2f902e76ac66b6727c54917d5595cd010ab4628e0346d75a0997421ee87dbcc8c7ed86a268dfa7f188699c26f658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
80ee6bc038c237278617c6322c4ecc94

SHA1
a63dcf1ddac3ce6d0d6d1565cdc5bc07b17a4edb

SHA256
629a59ea0ebd23fdd7bd9bc6f58a6b296f8d046c01519ba1bfd4313e498b21ba

SHA512
ff8682756ce65f283c565cdd098353028efb7f95dfc47c5d61fde9dcfef3a71c49436d5714f946820175e501303b23fca4dc2a7665285ce7b15c5dcc41170c0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

Filesize
737B

MD5
5727da8319619d065c7a43f9a7322529

SHA1
aacdde2f71d8c9f3993614bfed0d5ce754c2138f

SHA256
ab68e7ac87c905042b3ff21ea1e50b1eb48666b8e4834fd42c51295e879a9572

SHA512
35d9459254824a051d94f3eba1151e49a8919a924c7a32ba2a6d3a40e29c0e43412e36d4629fe425112e434975367e12edda84f76b7325ac643f0a595d232e16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
40KB

MD5
87eab20b7e2a7da5d6b439590bc2089c

SHA1
a1300688e3d2b77d2bb4477ac7884c77615a83aa

SHA256
ce7995a2b4b472912684a80e9b84f98a2e89df2c90586629c7536a6d5977aa4e

SHA512
39731b660c4003053bd28634754eea722e5d952c5d4bb40c0c3b3078fcc236b8b38b6904345b60956ee3074ac24df637d85041ace262a97d3caacdd1e5f104b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
a60df2bc955cc9a12ceffe99b2aaec50

SHA1
914b78d052111e64a7ba10140c7329e8979d7a1f

SHA256
95d1ed7cd185a35a9bae139ec8ffaa570fa55e5a28848ab085110210bf53387a

SHA512
325752e58051317c3329768d0abd585e90e16d9d13909b326f59b58e44639c3b482863d37bdf6dbced24d72e7f67cc335ba33b22b9ecca72c8e55c1eea9ca211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a3bb13aa04bc8c0e55e117eb66155d1d

SHA1
1d8277c17fda9e46c9f6167784957462c93de39b

SHA256
42c4eef65cecbada4b29bc9b6e4aff7775f5b2f9a5a916619d08f31a0f1b96f2

SHA512
9982ff8b6e9b02f765a31dfe712fa24fc05da91432f2275ca5003f84a64a79ef3f92f4229b1cd65af5ac264e8c8090b18267fc8ab5ca5987f677364134aa89c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
95165e3d55226289499d04fbe66c6323

SHA1
7bb4075ef880c52fa70d469654455ed8ff92585b

SHA256
1a5071acc094f44eb34f9b0603128c7ee126969ab53c2ed0f942eae663c0b45e

SHA512
e1dfc202238088b264a6022aa4c969ab925829e6a92bf83bf3d9afeb6945bf0d08eb2e9c0b1d0cb11b95fc814ad4c4057d112031a0444acf4dba0823d7d6818c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0cd1658a020f8b55fd84ba164f195320

SHA1
a84c38ebe1be97031df58bba9cfc387c2aafd564

SHA256
d9a019f83d3c00d97fd7c3a3c2cd04b4505e52fac2a713ec1e6e79282b48dc42

SHA512
bcd6efebaefbfb9855f02e9cd76c9c192568a677bead5e9d567a11766d1dcdfd8038689d22e78c54cfdccf7d460185f62d3163c3c2e1f78af1940415d08a598e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
711B

MD5
2e70c8ee50fe93e00b53b757b94585ad

SHA1
90ef3604cf82fc2f6d0e58a0ee3fb112300e46c0

SHA256
4196ea2c7f6e5e272720f0c5729f4e6825485151fb12b561abec899c0c14fd00

SHA512
3aa1cf69133c797f67355dff7be5bf6c0e26a60f631fe3c615e2ec4a4449d457982e78dcb953c4803233ca339c2f1407f402248157ee42d24b82efd1c41483c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4a8a4d48bb02c6e46e83655fd81f6e9a

SHA1
077dbcd1b5c29bf2645e107c9f254d2c66ad2b6b

SHA256
a7171691d9b7dcf03d4691fed1324131728197e9af6cdb74e180a9fe83b8c646

SHA512
e22faa6900a8184ef82b7e2b32b7419508a30131499cc1471338b97351fefc2820c897339e4477d71a51c827765ab0a4b2f75ddc0b2379d30ba0ee734f8e5ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ca051c52a86c8b664522b81bb8de467

SHA1
6dfe4b5525458617ad1e6ba138837ea8288516e9

SHA256
464130eb2da6f9410095312dd96ebb68e3c85e7407e504f2dff7babd754578d9

SHA512
ff6f4933b2cbb1d555d4b154e34f864f3c766167a5a4df04828c87fbdaa6f2095909c542e2f900b4a4da2656400bb1608178e3c9a9ae865f398905bca4600037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89c75fa3c9dc3d0e4960fa61d1a18c58

SHA1
62d36ffa1849b915f638ea178faa81423ca1906b

SHA256
57e2f070c517411a5c8f43ba7e4f63755c194902128a7d90ad8e3bad8818da59

SHA512
3bc4ac046d333f09b85a7eaf7417d80634827ea7cfd3bd136b2cb3ef0bc08cac3a428df869a7604f08d3a35064c1beb148eeabf7dbd78a6cc55b36b5f2307ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cdd300f1a32989cb25b5a30b566e32ac

SHA1
b69b55fcc2f2c8c359d84c1b12867009bdcef169

SHA256
6168112c7705fd1aa7485aa1a785b0e8d9dbbb80fa946bd2be93f0482d9b18b9

SHA512
253fe9e47990f193b17278e848903dc48a4ca876afe0aa937e3fe6b3cdd2f7c225de6e0d02e902df520629bcdc5b57076614b7c21fe55b8a65e886e34d1a48d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c37b9c2a7f52c3e78c6600fa8d719295

SHA1
8d8116930b4344c8557d4e4c0f9653bd3b5d20d5

SHA256
d06b660ba01e8bd1dc05d1fc754873478373a10f7e9fe3f8446bbb54f2826aa6

SHA512
453ae80cc4e2c56a99e66011294dc8949288f0f517b79805429af9f8c3515f2f481b30b02cae953f4fdf36d7fcce721e21660579d7996732639f40a42d355635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f4de8700c55c401663ea648dcec8c48

SHA1
13044b4124a4e09e82171fe95dd2f4a7cad8994c

SHA256
70f03ef64e13ddc3287feb44f4535de05c7034f33c5ddf07741b785a307fa401

SHA512
85f68e1ef47403a8a3bb3e4e11275d3fdc691bed2921d20b10947bdab0b1a0bdf174e4960d63e1c077dfe0555b7359c715ad9d01c25d2d76768106d317fcb8d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c596fe8b3e05bfb0e1fd26a2a358d35

SHA1
19646f84e3c62effd7ba2b8e9ccd81759bd88aaa

SHA256
dbd73e62bb2050236920d7940d6440ef031ff8789741366647f60ef871a5a1af

SHA512
fefae5f2e8c2dd5ddc9b3aa808842c59c794ba634b9e2272ebe4222f6b077d49797ae7fe7297e6f39711d8159bd22c769ecdb5ec6dbac3e9f0740df3382b3848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa6ba7799fc8512202297543ad0d0b2f

SHA1
415b8b8a0a46da4a9401cb632b908e4e4905fab5

SHA256
ca7c4b7919c8e330be12564da23afe38ac39bb0d0a9621104c68d121ebe756c9

SHA512
44bf2239c0278939204cd7dcfc7fbb318813ddf2842b19e3fb4693482df848e1b582b15ad461aa3f51b3a3d4d0a9a5a37a03b820a027cb07bf7e8d68e71e3c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
19fe75dcfacac50aa239ebef8ef46462

SHA1
270536a2ab573ae19bf530e69bbb6f209c06f1a0

SHA256
56d3f1bd202c6db7c72b8a61954c1ae52eaac09f07940606314e979971d62731

SHA512
7b40c5c9d0ee85dc934ef2de1dd04af42249347428d86f81481784ac4346e55e441d473a734788137739233f2834b2422dac0153fdf069dd7301ccc3ca6fb378

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8830a2cea3c7c08577a0c3a777a37c10

SHA1
131831bca11a593b7f2777e35d7d9dabf9d30ecd

SHA256
8873e5fbc618d5347d969e89acb17eeb6cadf024bee7e54d4767dac5eba57029

SHA512
88cdb9eb607632ff8fb6e90e11e9b10a76256c3311636e5334664628e7e339dcab917f267a356766678cd7b30e1ae31de0c2dd9efcd2ea778907f7dc1869f06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c709.TMP

Filesize
538B

MD5
9cd53f2963c5f84d901db894f1e396bd

SHA1
a894ba1c3652060987662d2c1762128a38bdc5de

SHA256
f52d6973aa8635fd9da6dfb4f34287ea80e2ac065eb270e9a96df179c5ecbb5d

SHA512
7ca6a1b394846af98b93332a8728494fee2936a5d9f1d99a7bee8cdd107de8345518a35b9d0c27ff127438dc1c80c497e6fe05018b884a6be6e257c07a92c78f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5a3a77b2010351eb55064cd101ce7ed5

SHA1
68d793a04e28e27ae0ae29ae44bb2e7c4d23f4b2

SHA256
b0ae00f6a49d52e0f1193957e0bf62474e19b1c488b8aa57203f2870eb3468a5

SHA512
10fb91269ac00f7437dd97b796a1aa9dcb7a1217ac27e134569acd4cd0249fe80dcde89bc82b5b4597d1f98d768fb2dcde22fa5666b4575ab7fa4c5fa92012be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
18d7fcb2705d8931c520032538cfd218

SHA1
e40bfbe8db610602121793315dd90cbcdd425f6e

SHA256
23d5663065ec57c3d2a18dae422e03b107d085f135e080c78e21aa5f2a6c0dbd

SHA512
ce9f9562790425d13844d943cce5f9f8a1e15be069146b4015feb5e8341becf7955c935f68d621a417867abd851dc775e1edea3d941c8a6d9235134252d0dc43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8761014682da2410b755b60b1c270c5e

SHA1
4e040233918bfa9df176cb990a3773ee2c1df917

SHA256
dff7a1a045abf9d56119bfda31ecf2df5a297bd7e18b0ebce6e87e3df728500f

SHA512
666d65806279da086ba0132065b292459f504dc9f38643d1663e6956a9a7f6de6d5e7fc518d12072c0fdde43671fd963bde57ad7e33e8cb3bd5fe23527808a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9eb7694d630b9e481aa757aac98d47a9

SHA1
e2b71247a62843efd3d6dfae0746ab88b01f718d

SHA256
d25657603b0e3fcbdfbaf48147c7240d7c4259d7b07e42ae68706ddbc6fe3777

SHA512
3e506fbb35ecf8e0bce7e4b8cf2b461e7a00b98a8faaa86d44bb3581c76ea808898cc614c997863050744b68e79ab4c5504e86872097b750ae9a503dc753b7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Cloudflare WARP\GobruJmn+zAsQFVGk0APG4rw2Saqn8k=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
607039b9e741f29a5996d255ae7ea39f

SHA1
9ea6ef007bee59e05dd9dd994da2a56a8675a021

SHA256
be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369

SHA512
0766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI848cc.LOG

Filesize
35KB

MD5
8b73b9cb96ac00f5b73e036a29d369f2

SHA1
6bbbe0ad1a8b57178a46c561d215f7f0211a57c6

SHA256
e304d2dcb52121ce66aa781349122a87bccbf8461c86e368080cd0f2fd228257

SHA512
385b9ba16a97c2bd3243a94fecba2d3ae34f390a51a52a7fecb7f8df8d04183b084882780ea63cae9a8c4619c9be958c47c719790849d0078246112422614c9c

Download Submit
C:\Windows\Installer\MSI4337.tmp-\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Windows\Installer\MSIA0EE.tmp

Filesize
541KB

MD5
d9dd4305c1b6f745464eb92ee264815e

SHA1
4ebf1b319ac10105c58a1b1101969b92aea28566

SHA256
87238cc5ee43135bd0b64fbe8303eb1b0356c3b9e222396f0fffc810c8757794

SHA512
472f0b9fd98bda9e9758b5ca1b92d0e77408693a211cfdd3715a09116f53d85132eda014b70b691ca163d3275ce2be5c044a6c19ca08bbce44a08ed097f44fab

Download Submit
C:\Windows\Installer\MSIA0EE.tmp-\Common.dll

Filesize
15KB

MD5
9b9f5590a12c1919454056ed5bbe4522

SHA1
59bd9e11419a22e55f89bc043928d0c9c0c0404b

SHA256
2032bf0083709eb7ff7ef090328155e1c0a2d835e568c58f7d4e4229c4ddb46a

SHA512
bf2091bd8a345d65eb5170adbb7f45309eb3e254b9ddbde1c7ef681ed91b30e17487af7f93a856fe327ade91d13562c293e4f04b275c9db6100e28b87f842e1c

Download Submit
C:\Windows\Installer\MSIA0EE.tmp-\Warp.Installer.Actions.dll

Filesize
21KB

MD5
66e027902419c2be67eff38c61121f69

SHA1
3bad9e0693aea4404910bee15a0af869a72d7aef

SHA256
639a6e9a1709e5ae86c749f3c7ba3d37a8d120bfebf852f32eefbf8e75110c55

SHA512
889597c20b1b167555841d5c8883301beadd81a1af490a6119db9245f8c77b317d6f14a019b09d447f5b4ec84af3630fec0ee48131172d4c73e8a7e683c86e14

Download Submit
C:\Windows\Installer\MSIA46B.tmp

Filesize
149KB

MD5
a4dc6ea6d0bdc5f8859e3b777ec3a075

SHA1
a78107dcf05d385fd2c067dc3c99d0f4c4cb080f

SHA256
20cbf04a263efc95fc173ce9a6e19ddb924a4e79950af32d0747a0f6f19f66a8

SHA512
6061081126ee348f86c1e79c1e6531a74bd7320d761ec72ac8c3763b7f52d5655558d16c85e6ae87939617dbd3f0efd67f68ab008d40cfc8a5d19dc91187b4a0

Download Submit
C:\Windows\Installer\MSIAD95.tmp-\CustomAction.config

Filesize
1KB

MD5
01c01d040563a55e0fd31cc8daa5f155

SHA1
3c1c229703198f9772d7721357f1b90281917842

SHA256
33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f

SHA512
9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5

Download Submit
C:\Windows\Installer\MSIAD95.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
183KB

MD5
a4d3eaf44156ab27772e2cf99033ed64

SHA1
bd28431730bea4908d2ea728ea70ccf48debc5d8

SHA256
abe1742945a10588376cd127771c3d5f3f0579d4ff1bde15c41a494451d89444

SHA512
aeb342f38a05cd061b76bdc7cbfa469e6c95e40dc81707d0df2223a7bb1ac2b25169653aae4d49945ffd579954897a166d897b65410dec5ecda5f32e15f1adaa

Download Submit
C:\Windows\Installer\MSIB3E0.tmp

Filesize
234KB

MD5
ee248d3dd120e7f40d32019514c5fe73

SHA1
b6085a4fdd9ce834a7d73b42ce8846a80d0fc21b

SHA256
86ada378311714ac96700fa0000bae824342ceae6382ff8bee203b8af8f89b26

SHA512
a888b3f9dc63e57a0bc85be60193200d04e89006abf07eac71258a3107f72b13748b6a40c0eb1048dbf7f9179845c0dd4f53fc9786b847428cfd3fb4fe9a93e6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
e00f23111ca3bf53edc44103213a2def

SHA1
8f4b095233e93022e488fc2c05b9107abac9820c

SHA256
e4af92f09a7d973a6fa7011973f58ca15a9e50689c43013dcdba49afa8060e26

SHA512
f6bb398d10741bcf6f08e43af5053f3503d767118d485a41c95ae8a23c091e9ccd17bd3a802a471ec0dbd6a5ddbfdc1c45310815cbacdc76497b3a078fa17240

Download Submit
\??\Volume{5110105b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{56e27eb8-f9d0-433c-a1c5-098deb0bff98}_OnDiskSnapshotProp

Filesize
6KB

MD5
b93a318c54ca198291a018c5c7efc7fb

SHA1
e6b53b320a78efaaafc85843e9a979091d404a12

SHA256
5689a33216dc667fff58ab785f2da63c0b17098b48b5c719d0a084081ade20bb

SHA512
2c08e401e7ab0cbfeec3ff26165ac2433ff77026abec97f227eaa1c6e4116c4255e052e52e08233fc713a194a8f4f868edd0e3dc3fa2a21a7928191e77725919

Download Submit
memory/3608-790-0x00000221E1AC0000-0x00000221E1AC8000-memory.dmp

Filesize
32KB

Download
memory/3608-751-0x00000221E1B20000-0x00000221E1B67000-memory.dmp

Filesize
284KB

Download
memory/3608-754-0x00000221E1AA0000-0x00000221E1AB2000-memory.dmp

Filesize
72KB

Download
memory/3608-806-0x00000221E6370000-0x00000221E6BB2000-memory.dmp

Filesize
8.3MB

Download
memory/3608-787-0x00000221E23C0000-0x00000221E23FE000-memory.dmp

Filesize
248KB

Download
memory/3608-779-0x00000221E2DD0000-0x00000221E2FF3000-memory.dmp

Filesize
2.1MB

Download
memory/3608-775-0x00000221E22C0000-0x00000221E2300000-memory.dmp

Filesize
256KB

Download
memory/3608-772-0x00000221E1B00000-0x00000221E1B07000-memory.dmp

Filesize
28KB

Download
memory/3608-769-0x00000221E1AE0000-0x00000221E1AF3000-memory.dmp

Filesize
76KB

Download
memory/3608-766-0x00000221E02C0000-0x00000221E02EA000-memory.dmp

Filesize
168KB

Download
memory/3608-763-0x00000221E2C70000-0x00000221E2DCE000-memory.dmp

Filesize
1.4MB

Download
memory/3608-784-0x00000221E2270000-0x00000221E2279000-memory.dmp

Filesize
36KB

Download
memory/3608-781-0x00000221E1AD0000-0x00000221E1AD5000-memory.dmp

Filesize
20KB

Download
memory/3608-793-0x00000221E22A0000-0x00000221E22AE000-memory.dmp

Filesize
56KB

Download
memory/3608-745-0x00000221E2660000-0x00000221E2A3E000-memory.dmp

Filesize
3.9MB

Download
memory/3608-742-0x0000000180000000-0x0000000180A25000-memory.dmp

Filesize
10.1MB

Download
memory/3608-796-0x00000221E2280000-0x00000221E2294000-memory.dmp

Filesize
80KB

Download
memory/3608-748-0x00000221E2300000-0x00000221E2382000-memory.dmp

Filesize
520KB

Download
memory/3608-799-0x00000221E2390000-0x00000221E239B000-memory.dmp

Filesize
44KB

Download
memory/3608-760-0x00000221E2A40000-0x00000221E2C68000-memory.dmp

Filesize
2.2MB

Download
memory/3608-757-0x00000221E39D0000-0x00000221E4958000-memory.dmp

Filesize
15.5MB

Download
memory/3608-802-0x00000221E3000000-0x00000221E3044000-memory.dmp

Filesize
272KB

Download
memory/3856-631-0x00000203C6B00000-0x00000203C6B2E000-memory.dmp

Filesize
184KB

Download
memory/3856-635-0x00000203C6AD0000-0x00000203C6ADA000-memory.dmp

Filesize
40KB

Download
memory/3856-640-0x00000203DEFB0000-0x00000203DEFCA000-memory.dmp

Filesize
104KB

Download
memory/3856-639-0x00000203C6AE0000-0x00000203C6AE8000-memory.dmp

Filesize
32KB

Download